e GEON Analytics - Web, Data & Mobile Development

SAML vs. OAuth: A Quick Guide to API Authentication

SAML vs. OAuth: A Quick Guide to API Authentication

SAML is an XML standard (open) for exchanging authentication and authorization data between an identity and service provider. The web server or cloud service where you are trying to access information is the "service provider" while the client is any web-based application that is accessing services. For example, a user opens an web site where they are uploading documents securely and need to log-in. To authenticate the user, the web site creates an Authnrequest, signs it, encrypts and then redirect the browser to an identity provider for authentication. The identity provider will decode and decrypt the request once it receives it and verify the signature. With a valid Authnrequest the username and password form are presented as an example. The identity provider generates an SAML token with can include identity information, permissions, etc. The user can now upload files to the site since they have been authenticated via SAML.

SAML limitations are found in the "HTTP Redirect" and "HTTP POST" bindings which when applied to native mobile apps fail to read the SAML token. This is because there is no HTTP POST body and URLs are restricted to the launch of the application. Work a rounds to this fundamental problem are available (proxy server) but these are mostly clunky and can be better handled using OAuth 2.0. For browser-based applications, however, SAML is a perfect authentication strategy since the SAML token contains the user identity information.

OAuth has really become the de facto open authorization standard given its wide use among the likes of Facebook, Google and Twitter. At a high level, the flow of OAuth and SAML are similar. OAuth2 provides three additional authorization flows which work for different requirements. For example, different flows exist for native mobile apps, single page JS apps, web apps and desktop apps (software). OAuth2 flows offers the advantage of communicating between the Authorization Server and the Client/Resource Server over HTTP (HTTPS) redirects with token information provided as query parameters. Native mobile application will work with OAuth without any cumbersome work a rounds and are therefore the preferred authentication technology for developers.

Simply put, OAuth provides a simple and standardized solution for authorization with native mobile apps without building a work around for interoperability. General rule: If you have mobile apps in your technology mix, OAuth is a more efficient solution for authentication.

OAuth Resources

Using SAML

Need an authorization services or Single Sign On (SSO)?